Anti-Automation

Mobile first business relies on the unique data behind their APIs to provide them with an
edge in the market place. Such valuable data is vulnerable to appropriation by 3rd parties, also wishing to profit from it,
who will deploy automated systems (often bots) to scrape the API. Approov API protection is an effective anti-bot solution
which ensures that only legitimate apps can access your API.

Automated API Scraping

APIs provide an information rich and easy to traverse target for automated systems. The increasing
size of the API economy results in these automated scraping systems being developed into highly sophisticated bots capable of executing various attacks including:

Wholesale harvesting of any data which does not require an authentication to access

Probing for server side vulnerabilities with malformed requests

Automated account discovery and takeover using stolen credentials from other services

Large scale creation of accounts to support phishing and other fraudulent activities against the service and its
users.

These automated systems are increasingly capable of detecting and sidestepping behavioral analysis
based approaches for protecting APIs by adapting their behavior to appear human where necessary. This forces behavioral
approaches to become ever more sensitive, increasing the false positive rate and therefore reducing effectiveness.

Enforcing access control with user accounts protected with reCAPTCHA style anti-bot protections
may hamper fully automated exploitation of a system, but systems already exist for the bot to co-opt a human as required
to get them past this obstacle.

Traditional API keys start to provide the right kind of protection but these are vulnerable to
reverse engineering once the app containing them is published.

Approov API Protection

Approov provides a robust method for apps to positively identify themselves to your API allowing you to filter traffic to your service. Valid apps which are registered with the Approov Service are dynamically issued a short lived JSON Web Token (JWT) which is then sent with each request to your API. Traffic with valid JWTs is from known apps and can be prioritized.

Since Approov does not rely on embedded API keys there is nothing to be extracted and reused in automated systems. The Approov service will only grant tokens to unaltered, pre-registered apps preventing spoofing by automated scripts.

This positive identification approach, built on standard JWT technology, removes the possibility of false positives that behavioral approaches suffer from and is transparent to users. By using a simple JWT in the header, you have the flexibility to manage traffic in whatever way best suits your business needs. You can choose to block all unidentified traffic on the API, deprioritize it or simply monitor where it is coming from.